There’s no safety in (phone) numbers

August 19, 2019

How many of us have “exchanged digits” with new acquaintances, written our phone numbers on customer profiles, and entered them into job applications? Roughly 100%? And what could possibly be wrong with this practice?

A column posted on August 15 by Brian X. Chen, the lead Consumer Technology writer at The New York Times may change your mind about that. Chen encourages readers, “Before you hand over your number, ask yourself: Is it worth the risk?”

Now that many of us have shifted from landlines to mobile devices, we rarely change phone numbers—bringing them with us when we move homes, schools, jobs, and accounts..

At the same time, the Times reports, our exclusive string of digits has increasingly become connected to apps and online services that are hooked into our personal lives. And it can lead to information from our offline worlds, including where we live and more.

In fact, your phone number may have now become an even stronger identifier than your full name, Chen believes.

He went out of his way to prove this theory recently, when he provided his phone number to Fyde, a mobile security firm based in Palo Alto, California.

Emre Tezisci, a security researcher at Fyde—and a self-described “ninja engineer” with a background in telecommunications, took on the task “with gusto,” Chen wrote, noting that, for purposes of the test, he and Tezisci previously “had never met or talked.”

Tezisci quickly plugged Chen’s cellphone number into White Pages Premium, an online database that charges $5 a month for access to public records. He then did a thorough web search and followed a data trail — linking Chen’s name and address to information in other online background-checking tools and public records — to track down more details.

“Soon,” Chen wrote in his Times column, “he had a full dossier on me — including my name and birth date, my address, the property taxes I pay and the names of members of my family.

From there, the situation quickly might have deteriorated. Tezisci could have used that information to try to answer security questions that would enable him to break into Chen’s online accounts. Or he could have targeted Chen or his loved ones with sophisticated phishing attacks. He and the other researchers at Fyde opted not to do so, since such attacks are illegal.

“If you want to give out your number, you are taking additional risk that you might not be aware of,” Fyde CEO Sinan Eren,  told Chen in an interview. “Because of collisions in names due to the massive number of people online today, a phone number is a stronger identifier.”

In just an hour, this is what the Fyde researcher found:

  • Chen’s current home address, its square footage, the cost of the property and the taxes he pays on it;
  • His past addresses from the last decade;
  • The full names of his mother, father, sister, and aunt;
  • Past phone numbers, including the landline for his parents’ home; and
  • Lack of a criminal record.

While Fyde declined to hack into Chen’s accounts , the company warned that there was plenty an attacker could do with the information:

  • Reset the password for an online account by answering such security questions as “What is your mother’s maiden name?”
  • Trick a customer service representative for that person’s phone carrier into porting my number onto a new SIM card, thus hijacking my digits — a practice called SIM swapping.
  • Mislead members of the person’s family into sharing their passwords or sending money.
  • Target the phone number with phishing texts and robocalls.
  • Break into the person’s voicemail and listen to messages.

So, when is it wise to share your number (and when is it not?

There are some situations when sharing your phone number is reasonable. When you enter your user name and password to get into your online banking account, the bank may call or text you with a temporary code that you must enter before you can log in. This is a security mechanism known as two-factor verification. In this situation, your phone number is a useful extra factor to prove you are who you say you are, The Times writer notes.

But which companies should you trust with your phone number? Unfortunately, Chen says, there is no neat solution.

As for two-factor authentication, most tech companies offer other verification options. They include apps that generate temporary security codes or a physical security key that can be plugged in. Generally, those are safer to use than a phone number.

Finally, a word to the wise: If you have business cards with your personal number printed on them, shred them and order new ones with just your office line.

Research contact: @nytimes

Leave a Reply

Your email address will not be published. Required fields are marked *